Re: Using Syncope REST endpoints with a OIDC authorizationCode
Thanks Francesco for this very detailed answer. This is indeed what I suspected but I was not 100% sure Best regards Lionel - Le 26 Mar 22, à 6:55, Francesco Chicchiriccò ilgro...@apache.org a écrit : > On 25/03/22 18:06, Lionel SCHWARZ wrote: >> Dear all, >> >> Considering I have enabled the OIDC extension and properly configured my OIDC >> provider (keycloak), and considering I am able to retrieve from this provider >> an AuthorizationCode, how it is possible for me to use the REST endpoints >> using >> this authorization code? > > Hi Lionel, > the OpenID Connect client extension [1] is designed to work for UI (Console, > Enduser), not for REST endpoints. > > In fact, the extension adds some components that from one side implement the > OIDC protocol communications in the UI itself, while using existing Syncope > constructs and components on the other side. > The overall OIDC client authentication process initiated by Syncope Console or > Enduser ends up into getting an ordinary Syncope JWT to authenticate REST > calls > to Core. > > FYI, the SAML 2.0 extension [2] works in the same way. > > It is indeed possible to authenticate REST calls by passing JWT values > different > than the ones generated by Syncope itself after authentication, by providing > JTWSSOProvider [3] implementations. > > Essentially, an implementation will need to provide at least two things: > > 1. the JWT issuer value to match, for which the class will be invoked by > Syncope > > 2. a mean to resolve the JWT claims into and existing Syncope user > > It can also do other things, like using a different signature verification. > > Syncope itself is using an implementation as such for default JWT format [4]. > You can also look at an example in the test code [5]. > > Hope this helps. > Regards. > > [1] > https://syncope.apache.org/docs/2.1/reference-guide.html#openid-connect-client > [2] > https://syncope.apache.org/docs/2.1/reference-guide.html#saml-2-0-service-provider > [3] https://syncope.apache.org/docs/2.1/reference-guide.html#jwtssoprovider > [4] > https://github.com/apache/syncope/blob/syncope-2.1.11/core/spring/src/main/java/org/apache/syncope/core/spring/security/SyncopeJWTSSOProvider.java > [5] > https://github.com/apache/syncope/blob/syncope-2.1.11/fit/core-reference/src/main/java/org/apache/syncope/fit/core/reference/CustomJWTSSOProvider.java > > -- > Francesco Chicchiriccò > > Tirasa - Open Source Excellence > http://www.tirasa.net/ > > Member at The Apache Software Foundation > Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail > http://home.apache.org/~ilgrosso/
Re: Using Syncope REST endpoints with a OIDC authorizationCode
On 25/03/22 18:06, Lionel SCHWARZ wrote: Dear all, Considering I have enabled the OIDC extension and properly configured my OIDC provider (keycloak), and considering I am able to retrieve from this provider an AuthorizationCode, how it is possible for me to use the REST endpoints using this authorization code? Hi Lionel, the OpenID Connect client extension [1] is designed to work for UI (Console, Enduser), not for REST endpoints. In fact, the extension adds some components that from one side implement the OIDC protocol communications in the UI itself, while using existing Syncope constructs and components on the other side. The overall OIDC client authentication process initiated by Syncope Console or Enduser ends up into getting an ordinary Syncope JWT to authenticate REST calls to Core. FYI, the SAML 2.0 extension [2] works in the same way. It is indeed possible to authenticate REST calls by passing JWT values different than the ones generated by Syncope itself after authentication, by providing JTWSSOProvider [3] implementations. Essentially, an implementation will need to provide at least two things: 1. the JWT issuer value to match, for which the class will be invoked by Syncope 2. a mean to resolve the JWT claims into and existing Syncope user It can also do other things, like using a different signature verification. Syncope itself is using an implementation as such for default JWT format [4]. You can also look at an example in the test code [5]. Hope this helps. Regards. [1] https://syncope.apache.org/docs/2.1/reference-guide.html#openid-connect-client [2] https://syncope.apache.org/docs/2.1/reference-guide.html#saml-2-0-service-provider [3] https://syncope.apache.org/docs/2.1/reference-guide.html#jwtssoprovider [4] https://github.com/apache/syncope/blob/syncope-2.1.11/core/spring/src/main/java/org/apache/syncope/core/spring/security/SyncopeJWTSSOProvider.java [5] https://github.com/apache/syncope/blob/syncope-2.1.11/fit/core-reference/src/main/java/org/apache/syncope/fit/core/reference/CustomJWTSSOProvider.java -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Using Syncope REST endpoints with a OIDC authorizationCode
Dear all, Considering I have enabled the OIDC extension and properly configured my OIDC provider (keycloak), and considering I am able to retrieve from this provider an AuthorizationCode, how it is possible for me to use the REST endpoints using this authorization code? Regards Lionel